Workflow - Publishing to Git Repositories

Problem Summary

Would you like to browse code in an interface you are familiar with but isn’t supported as a Source Code Provider for Chef Automate? Look no further! This guide will teach you how to publish your Git master branch to a remote Git master branch during the Publish phase of the Chef Automate pipeline.

Publish Phase

The Publish phase is intended to be used to “publish” the code/artifacts from your pipeline to a location that other phases or stages can consume. The default publish recipe can be found in your project here .delivery/build_cookbook/recipes/publish.rb.

As you can see, the actions that take place in this phase are defined in the delivery-truck cookbook’s publish recipe and the places that your code/artifacts are published are defined in your .delivery/config.json file. For a full list of these options see here.

Methods of Publishing to Git Repositories

Method 1 - Using config.json and delivery-secrets

This method uses your config.json and encrypted data bags. Since this is already well documented in the delivery-truck’s README, if you would like to use this method see here

WARNING: This method uses encrypted data bags and by extension shared key encryption

Method 2 - Using Chef Vault and delivery_github

Inside of delivery-truck’s publish recipe we can see that the custom resource delivery_github is called. Since we include delivery-truck in our recipe this custom resource is available for us to use as well.

We can see from line 107 that the secrets hash is passed into the deploy_key attribute. If we look at where this variable is set on line 103 we can see it is set by the get_project_secrets method. Since we do not want to use shared key encryption or by extension encrypted data bags we will need to find another way to get this deploy_key value. One way of achieving this is via Chef Vault.

If you follow the recommendations in my blog post about using Chef Vaults in Automate you will have everything you need to add this deploy_key attribute to your project’s Chef Vault.

Just add the following key/value pairs to the ent_name-org_name-project_name vault under the workflow-vaults data bag on the Automate Chef Server:

"git_repo_url": "ssh://<project-name>/<repo-name>",
"git_private_key": "PRIVATE KEY OF YOUR GIT USER",

Then you would add the following to your publish recipe (after the code snippet from my blog post):


delivery_github git_repo do
  deploy_key vault_data['git_private_key']
  branch node['delivery']['change']['pipeline']
  remote_url vault_data['git_repo_url']
  repo_path node['delivery']['workspace']['repo']
  cache_path node['delivery']['workspace']['cache']
  action :push

Doing so will allow you to publish your code to a Git repository without the need of relying on shared key encryption.

Extra Resources